data/osec.cron | 8 ++++++++
 data/pipe.conf | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/data/osec.cron b/data/osec.cron
index 8daed49..12b8eca 100755
--- a/data/osec.cron
+++ b/data/osec.cron
@@ -110,6 +110,13 @@ case "${PRESERVE_PRIVILEGES-}" in
 		;;
 esac
 
+read_only=
+case "${READ_ONLY-}" in
+	1|[Yy]|[Yy][Ee][Ss])
+		read_only=1
+		;;
+esac
+
 (
 	rc=0
 	$cmd /usr/bin/osec \
@@ -117,6 +124,7 @@ esac
 		${IGNORE_FIELDS:+-i "$IGNORE_FIELDS"} \
 		${HASH_TYPE:+-t "$HASH_TYPE"} \
 		${allow_root:+-R} \
+		${read_only:+-r} \
 		-D "$DATABASE_DIR" \
 		-f "$DIRS_FILE" ||
 		rc=$?
diff --git a/data/pipe.conf b/data/pipe.conf
index 36b3b28..e729cc9 100644
--- a/data/pipe.conf
+++ b/data/pipe.conf
@@ -26,6 +26,12 @@ IGNORE_FIELDS=
 # then leave this variable empty otherwise write 'yes'.
 PRESERVE_PRIVILEGES=
 
+# Read-only mode for report-only osec runs. When osec is running in
+# read-only mode it doesn't update the database files making each
+# run report about changes until the database is updated (by running
+# osec in read-write mode).
+READ_ONLY=
+
 # Do not generate a report, if there was no change.
 # WARNING: This is very dangerous to enable this option,
 # because if the osec will be disabled by intruder,